Purpose of this program is to maintain a set of DANE (TLSA) resource records in DNS via RFC2136 dynamic DNS updates, on basis of supplied TLS certificate private keys.
Currently, only DANE EE (3 1 1) is supported.
dane-updater expects zero one or many .pem files that contain the public key
besides the private key part, the latter of which is not used by dane-updater.
If more than one key is supplied, a rollover scheme is achieved.
Assuming an installed Rust toolchain, you can build like this:
cargo build --releaseYou'll find the executable in target/release/dane-updater; just copy
it to an appropriate place. If you are targeting Linux, you can
instead build a statically-linked executable if desired:
cargo build --release --target x86_64-unknown-linux-muslIn this case, you'll find the executable at
./target/x86_64-unknown-linux-musl/release/dane-updater.
The file contains 3 parts, seperated by colons.
- Name
- Algorithm
- Key (base64)
Example:
sec1_key:hmac-md5:6KM6qiKfwfEpamEq72HQdA==
dane-updater \
--key-file privkey.pem \
--key-file privkey.roll.pem \
--zone example.org \
--rfc2136-nameserver 192.0.2.1:53 \
--ports 25 \
--tsig-key tsig.key \
foo.example.orgSee also example-config.toml.
dane-updater --config example-config.toml \
--key-file privkey.pem \
--key-file privkey.roll.pem \
foo.example.orgNot yet clear if we want to support these.
- RSA key support
- Support for DANE types differing from "3 1 1"